b'   U.S. ELECTION ASSISTANCE COMMISSION \n\n        OFFICE OF INSPECTOR GENERAL\n\n\n\n\n\n                      FINAL REPORT:\n      AUDIT OF U.S. ELECTION ASSISTANCE COMMISSION\xe2\x80\x99S\n\n           COMPLIANCE WITH SECTION 522 OF THE\n\n         2005 CONSOLIDATED APPROPRIATIONS ACT\n\n\n\n\n\nNO. I-PA-EAC-02-08\nMARCH 2009\n\x0c                          U.S. ELECTION ASSISTANCE COMMISSION\n                                   OFFICE OF INSPECTOR GENERAL\n\n                                 1225 New York Ave. NW - Suite 1100 \n\n                                       Washington, DC 20005\n\n\n\n\n                                                                                    March 4, 2009\n\nMemorandum\n\nTo:          \tGineen Beach\n              Chair, U.S. Election Assistance Commission\n\nFrom:\t       Curtis W. Crider\n             Inspector General\n\nSubject: \t Final Audit Report \xe2\x80\x93 Audit of U.S. Election Assistance Commission\xe2\x80\x99s Compliance\n           with Section 522 of the 2005 Consolidated Appropriations Act\n           (Assignment No. I-PA-EAC 02-08)\n\n        We contracted with the independent certified public accounting firm of Clifton\nGunderson LLP (Clifton Gunderson) to conduct the subject audit. The objective of the audit was\nto determine whether: (1) the necessity of using personally identifiable information for\nprocessing was properly evaluated; (2) the EAC had established adequate procedures governing\nthe collection, use and security of personally identifiable information; and (3) EAC had properly\ncomplied with the prescribed procedures to prevent unauthorized access to and the unintended\nuse of personally identifiable information.\n\n       The review found that the EAC was not fully compliant with several Privacy Act\nRequirements:\n\n      \xef\x82\xb7\t A Chief Privacy Officer with the responsibility for monitoring and enforcing privacy\n         related policies and procedures has not been designated.\n\n      \xef\x82\xb7\t EAC has not identified systems housing personally identifiable information or conducted\n         related Privacy Impact Assessments as required by the Office of Management and Budget\n         Memorandum 06-16, Requirements for Protecting Personally Identifiable Information.\n\n      \xef\x82\xb7\t No formalized policies and procedures are in place for Personally Identifiable\n         Information which: (1) explicitly identify the rules for determining whether physical\n         removal is allowed; (2) require the information be encrypted and that appropriate\n         procedures, training and accountability measures are in place to ensure that remote use of\n         this encrypted information does not result in bypassing the protections provided by the\n         encryption; (3) explicitly identify the rules for determining whether remote access is\n         allowed for personally identifiable information that can be removed; (4) require that the\n         remote access be accomplished via a virtual private network connection established using\n         agency issued authentication certificate (s) or hardware token, when remote access is\n         allowed; (5) identify the rules for determining whether download or remote storage of the\n         information is allowed, when remote access is allowed.\n\x0c       Based on the Executive Director\xe2\x80\x99s response to the draft report, dated February 20,\n2009, we consider Recommendation No. 4 resolved and implemented. The remaining\nrecommendations are considered resolved but not implemented. Please notify the Office of\nInspector General when the proposed corrective actions have been completed.\n\n        The Inspector General Act of 1978, as amended, requires semiannual reporting to\nCongress on all reports issued, actions taken to implement recommendations, and\nrecommendations that have not been implemented. Therefore, we will include the information in\nthe attachment in our next semiannual report to Congress. The distribution of this report is not\nrestricted, and copies are available for public inspection.\n\n       We appreciate the cooperation and assistance of EAC personnel during the audit. If you\nor your staff has any questions, please contact me at (202) 566-3125.\n\nAttachments\n\nCc: Commissioners Hillman, Davidson\n   Executive Director\n   Chief Operating Officer\n   Director of Administration\n\x0cELECTION ASSISTANCE COMMISSION\n\n             (EAC)\n\n\n\n Report on the 2008 Review of EAC\xe2\x80\x99s Compliance\n\nwith Section 522 of the Consolidated Appropriations\n\n                     Act, 2005.\n\n (Policies, Procedures & Practices for Protection of\n\n         Personally Identifiable Information)\n\n\n\n\n\n               Clifton Gunderson LLP\n\n                September 30, 2008\n\n\x0c                                                   TABLE OF CONTENTS\n\n\n\n                                                                                                                                PAGE\n\n\n\nTRANSMITTAL LETTER............................................................................................................1\n\n\n\n\nEXECUTIVE SUMMARY ............................................................................................................2\n\n\n\n\nBACKGROUND..........................................................................................................................2\n\n\n\n\nSCOPE AND METHODOLOGY .................................................................................................5\n\n\n\n\nDETAILED RESULTS OF REVIEW............................................................................................7\n\n\n\n\nAPPENDIX ...............................................................................................................................13\n\n\x0c                                                                            t\n\na1\n\n\nMr. Curtis Crider\nOffice of the Inspector General\nU.S. Election Assistance Commission\n1225 New York Avenue NW, Suite 1100\nWashington, DC 20005\n\nDear Mr. Crider,\n\nWe are pleased to present our report on the Election Assistance Commission\xe2\x80\x99s (EAC)\ncompliance with protection of personal data in an identifiable form. This review included\nassessing compliance with applicable federal security and privacy laws and regulations as well\nas assessing the privacy and data protection procedures used by EAC as they relate to the\nguidelines set forth in Section 522-d of the Omnibus Spending Bill for Transportation, Treasury,\nIndependent Agencies, and General Government Appropriations Act of 2005. The objective of\nour review was to determine whether: (1) the necessity of using personally identifiable\ninformation for processing was properly evaluated; (2) EAC had established adequate\nprocedures governing the collection, use and security of personally identifiable information; and\n(3) EAC had properly complied with the prescribed procedures to prevent unauthorized access\nto and unintended use of personally identifiable information.\n\nWe interviewed key personnel involved in identifying and protecting personally identifiable\ninformation and reviewed documentation supporting EAC\xe2\x80\x99s efforts to comply with federal privacy\nand security laws and regulations.\n\nThis performance audit was conducted from August 2008 to September 2008 at the EAC office\nin Washington, District of Columbia in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on\nour audit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives.\n\nWe appreciate the opportunity to have served you once more and are grateful for the courtesy\nand hospitality extended to us by EAC personnel. Please do not hesitate to call me at (301)\n931-2050 or email at george.fallon@cliftoncpa.com if you have questions.\n\nSincerely,\nCLIFTON GUNDERSON LLP\n\n\na1\nCalverton, Maryland\nSeptember 30, 2008\n11710 Beltsville Drive\nSuite 300\nCalverton, MD 20705\xc2\xad3106\n\n\n                                                                                h\ntel: 301\xc2\xad931\xc2\xad2050\nfax: 301\xc2\xad931\xc2\xad1710                                  1\nwww.cliftoncpa.com                Offices in 17 states and Washington, DC\n\x0cEXECUTIVE SUMMARY\n\nBased on our review, EAC has (a) developed and implemented a privacy training course for\nemployees and contractors; and (b) assigned privacy oversight responsibilities. However, more\nwork remains to be accomplished. Specifically, we noted the following:\n\nEAC is not fully compliant with several Privacy Act Requirements, including:\n\n     \xe2\x80\xa2\t\t A Chief Privacy Officer with the responsibility for monitoring and enforcing privacy\n         related policies and procedures has not been designated.\n     \xe2\x80\xa2\t\t EAC has not identified systems housing personally identifiable information or conducted\n         related Privacy Impact Assessments (PIA\xe2\x80\x99s) as required by the Office of Management\n         and Budget (OMB) Memorandum 06-16, Requirements for Protecting Personally\n         Identifiable Information.\n     \xe2\x80\xa2\t\t No formalized policies and procedures are in place for Personally Identifiable Information\n         which: (1) explicitly identify the rules for determining whether physical removal is\n         allowed; (2) require the information be encrypted and that appropriate procedures,\n         training and accountability measures are in place to ensure that remote use of this\n         encrypted information does not result in bypassing the protections provided by the\n         encryption; (3) explicitly identify the rules for determining whether remote access is\n         allowed for personally identifiable information that can be removed; (4) require that the\n         remote access be accomplished via a virtual private network (VPN) connection\n         established using agency issued authentication certificate (s) or hardware token, when\n         remote access is allowed; (5) identify the rules for determining whether download or\n         remote storage of the information is allowed, when remote access is allowed.\n\nBACKGROUND\n\nOn December 8, 2004, the President signed into law H.R. 4818, Consolidated Appropriations\nAct, 2005 (Public Law 108-447). Title V, Section 522 of this act mandates the designation of a\nsenior privacy official, establishment of privacy and data protection procedures, a written report\nof the agency\xe2\x80\x99s use of information in an identifiable form,1 an independent third party review of\nthe agency\xe2\x80\x99s use of information in an identifiable form, and a report by the Inspector General to\nthe agency head on the independent review and resulting recommendations. Section 522 (d) (3)\nrequires the Inspector General to contract with an independent third party privacy professional\nto evaluate the agency\xe2\x80\x99s use of information in an identifiable form, and the privacy and data\nprotection procedures of the agency. The independent review is to include (a) an evaluation of\nthe agency\xe2\x80\x99s use of information in identifiable form, (b) an evaluation of the agency\xe2\x80\x99s privacy\nand data protection procedures, and (c) recommendations on strategies and specific steps to\nimprove privacy and data protection management. Section 522 requires the agency to have an\nindependent third party review at least every 2 years and requires the Inspector General to\nsubmit a detailed report on the review to the head of the agency. The third party report and\nrelated Inspector General report are to be made available to the public, i.e. internet availability.\n\nIn addition to Section 522, Federal agencies are subject to a number of other legislative\nrequirements aimed at protecting the privacy rights of individuals and agency held sensitive\ninformation. Further, recent high-profile incidences surrounding actual or potential privacy\n\n1\n  Identifiable form is any representation of information that permits the identity of an individual to whom the information applies\nto be reasonably inferred by either direct or indirect means. Personally identifiable information (PII) has a similar meaning and\nwill be the term used throughout this document.\n\n\n                                                                 2\n\n\x0cbreaches or loss of sensitive information has lead to increased direction from OMB to agencies\nin the form of a memorandum. A listing of key privacy related statutes, policies and guidelines\nfollows.\n\n   \xe2\x80\xa2\t\t The Privacy Act of 1974, as amended\n   \xe2\x80\xa2\t\t The E-Government Act of 2002, section 208\n   \xe2\x80\xa2\t\t Federal Information Processing Standard Publication (FIPS PUB) 199, Standards for\n       Security Categorization of Federal Information and Information Systems\n   \xe2\x80\xa2\t\t FIPS PUB 200, Minimum Security Requirements for Federal Information and Information\n       Systems\n   \xe2\x80\xa2\t\t NIST Special Publications 800-60, volume I: Guide for Mapping Types of Information\n       and Information Systems to Security Categories\n   \xe2\x80\xa2\t\t NIST 800-60, Volume II: Guide for Mapping Types of Information and Information\n       Systems to Security Categories\n   \xe2\x80\xa2\t\t OMB Circular No. A-130, Management of Federal Information Resources, Appendix I,\n       Federal Agency Responsibilities for maintaining Records about Individuals\n   \xe2\x80\xa2\t\t OMB Memorandum M-03-18, Implementation of E-government Act of 2002\n   \xe2\x80\xa2\t\t OMB Memorandum M-03-22, OMB guide for Implementation of the E-Government Act of\n       2002\n   \xe2\x80\xa2\t\t OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy\n   \xe2\x80\xa2\t\t OMB Memorandum M-06-16, Protection of Sensitive Agency Information\n   \xe2\x80\xa2\t\t OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable\n       Information and Incorporating the Cost for Security in Agency Information Technology\n       Investments\n   \xe2\x80\xa2\t\t OMB Memorandum M-07-16, Safeguarding Against and Responding to Breach of\n       Personally Identifiable Information\n   \xe2\x80\xa2\t\t OMB Memorandum M-07-18, Ensuring New Acquisitions Include Common Security\n       Configurations\n   \xe2\x80\xa2\t\t OMB Memorandum M-07-19, Reporting Instructions for Federal Information Security\n       Management Act and Agency Privacy Management\n   \xe2\x80\xa2\t\t EAC Information System Security Policy (Draft)\n   \xe2\x80\xa2\t\t EAC Privacy Protection Policies (Draft)\n\nEAC\xe2\x80\x99s use of personally identifiable information and related policies and procedures\n\nCongress established EAC with the passage of the Help America Vote Act (HAVA) in October\n2002. EAC became operational in fiscal year 2004. The EAC is an independent, bipartisan\nagency created by HAVA. It assists and guides State and local election administrators in\nimproving the administration of elections for Federal office. The EAC provides assistance by\ndispersing Federal funds to States to implement HAVA requirements, auditing the use of HAVA\nfunds, adopting the voluntary voting system guidelines, and serving as a national clearinghouse\nand resource of information regarding election administration. The EAC also accredits testing\nlaboratories and certifies, decertifies, and recertifies voting systems.\n\nEAC\xe2\x80\x99s principle responsibilities are to:\n\n    \xe2\x80\xa2\t\t Administer funds that HAVA authorized for states to improve the administration of\n        Federal elections, to replace-punch card and lever-action voting machines, and to meet\n        the election technology and other administrative requirements of HAVA. To date, states\n        have received Federal payments of approximately $3 billion.\n\n\n                                               3\n\n\x0c    \xe2\x80\xa2\t\t Serve as a national clearinghouse on matters concerning the administration of elections\n          under Federal law; and provide outreach to state and local election officials.\n    \xe2\x80\xa2\t\t Develop and update standards on voting systems and provide guidance on subjects\n         such as statewide voter registrations systems and provisional ballots critical to the\n         implementation of HAVA.\n    \xe2\x80\xa2\t\t Implement a system to accredit laboratories that test voting systems and to certify,\n         decertify, and recertify voting system software and hardware against standards.\n\nHAVA requires the EAC to:\n\n    \xe2\x80\xa2\t\t   Generate technical guidance on the administration of federal elections.\n    \xe2\x80\xa2\t\t   Produce voluntary voting systems guidelines.\n    \xe2\x80\xa2\t\t   Research and report on matters that affect the administration of federal elections.\n    \xe2\x80\xa2\t\t   Otherwise provide information and guidance with respect to laws, procedures, and\n           technologies affecting the administration of Federal elections.\n    \xe2\x80\xa2\t\t   Administer payments to States to meet HAVA requirements.\n    \xe2\x80\xa2\t\t   Provide grants for election technology development and for pilot programs to test\n           election technology.\n    \xe2\x80\xa2\t\t   Manage funds targeted to certain programs designed to encourage youth participation\n           in elections.\n    \xe2\x80\xa2\t\t   Develop a national program for the testing, certification, and decertification of voting\n           systems.\n   \xe2\x80\xa2\t\t    Maintain the national mail voter registration form that was developed in accordance with\n          the National Voter Registration Act of 1993 (NVRA), report to Congress every two years\n          on the impact of the NVRA on the administration of federal elections, and provide\n          information to States on their responsibilities under that law.\n   \xe2\x80\xa2\t\t    Submit an annual report to Congress describing EAC activities for the previous fiscal\n          year.\n\nThe EAC has an operating budget of approximately $26 million and has 38 employees and\ncontractors. The EAC is headed by four Commissioners who are nominated by the President\nand confirmed by the U.S. Senate. Commissioners may serve only two consecutive terms.\nCommissioners serve staggered terms. No more than two Commissioners may belong to the\nsame political party. The Commissioner Chairmanship rotates every year.\n\nThe EAC privacy function is temporarily assigned to the human resources specialist. However,\nresponsibilities for privacy policy development, leadership, monitoring or enforcement have not\nbeen formally designated within a position description. A Privacy training course has been\ndeveloped which is required to be completed by all EAC employees and contractors. EAC\nprivacy policies and procedures are presently undergoing development, and in the interim,\nemployees and contractors are referred to respective policies existing at their external service\nprovider, General Services Administration (GSA). Privacy data is not stored, accessed or\ntransmitted electronically at EAC. All personnel documents (i.e. Personally Identifiable\nInformation(PII) data) are sent via fax, FedEx or United Postal Service (UPS) to the GSA\nAgency Liaison\xe2\x80\x99s office. This office uploads all EAC information (includes PII data) to the\nappropriate applications or databases. EAC employees or contractors do not have access to the\nGSA human resources system (i.e. CHRIS) which is utilized to store this data.\n\n\n\n\n                                                   4\n\n\x0cSCOPE AND METHODOLOGY\n\nEAC\xe2\x80\x99s Office of the Inspector General (OIG) contracted with Clifton Gunderson LLP to conduct\nan audit of EAC\xe2\x80\x99s privacy and data protection policies and procedures in compliance with\nSection 522. The objective of this review was to assess the progress of EAC\xe2\x80\x99s Privacy Office in\ncarrying out its responsibilities under federal law, more specifically, to determine whether: (1)\nthe necessity of using personally identifiable information for processing was properly evaluated;\n(2) EAC had established adequate procedures governing the collection, use and security of\npersonally identifiable information; and (3) EAC properly complied with the prescribed\nprocedures to prevent unauthorized access to and unintended use of personally identifiable\ninformation.\n\nTo address this objective, we reviewed federal statutes including the Privacy Act of 1974 and\nSection 208 of the E-Government Act, to identify responsibilities of EAC\xe2\x80\x99s Privacy Office. We\nreviewed and analyzed privacy policies, guidance, and reports, and interviewed with officials\nfrom the Privacy Office. The personnel interviewed included the acting Privacy Officer for EAC\nto identify privacy office\xe2\x80\x99s plans, priorities, and processes for implementing its responsibilities\nusing available resources.\n\nWe further evaluated the Privacy Office policies, guidance, and processes for ensuring\ncompliance with the Privacy Act, and the E-Government Act. We analyzed the System of\nRecords Notice (SORN)s and PIA development processes and assessed the progress of the\noffice in implementing these processes. This analysis included analyzing the Privacy Office\xe2\x80\x99s\noverview of PIAs developed and assessing the overall quality of published PIAs.\n\nPerform an assessment of EAC\xe2\x80\x99s privacy policies\nWe reviewed EAC information management practices for protection of PII, as they relate to the\nguidelines set forth in Section 522-d of the 2005 Government Appropriations Act. Public Law\n107-347, the E-Government Act of 2002, defines \xe2\x80\x9cidentifiable form\xe2\x80\x9d as any representation of\ninformation that permits the identity of an individual to whom the information applies to be\nreasonably inferred by either direct or indirect means. We performed procedures to assist the\nOIG in evaluating EAC\xe2\x80\x99s information management practices in order to:\n\n    A.\t Determine the accuracy of the descriptions of the use of information in identifiable form2\n        while accounting for current technologies and processing methods;\n    B.\t Determine the effectiveness of privacy and data protection procedures by measuring\n        actual practices against established procedural guidelines;\n    C.\t Determine compliance with the stated privacy and data protection policies of EAC and\n        applicable laws and regulations;\n    D.\t Determine whether all technologies used to collect, use, store, and disclose information\n        in identifiable form allow for continuous auditing of compliance with stated privacy\n        policies and practices governing the collection, use, and distribution of information in\n        operation of the program, and\n\n\n2\n information in identifiable form is information in an IT system or online collection: (i) that directly identifies an\nindividual (e.g., name, address, social security number or other identifying number or code, telephone number, email\naddress, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data\nelements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date,\ngeographic indicator, and other descriptors).\n\n\n                                                          5\n\n\x0c   E.\t Provide EAC with recommendations, strategies, and specific steps, to improve privacy\n       and data protection management.\n   F.\t Evaluate EAC\xe2\x80\x99s use of information in identifiable form.\n\nWe examined EAC\xe2\x80\x99s PII policies, practices and data protection procedures and mechanisms in\noperation. Specifically, the tasks focused on:\n\n   \xe2\x80\xa2\t\t A review of the agency\xe2\x80\x99s technology, practices and procedures with regard to the\n       collection, use, sharing, disclosure, transfer, and storage of information in an identifiable\n       form;\n   \xe2\x80\xa2\t\t A review of the agency\xe2\x80\x99s stated privacy and data protection policies and procedures for\n       personal information of employees and the public;\n   \xe2\x80\xa2\t\t A detailed analysis of agency intranet, network and Websites for privacy vulnerabilities;\n   \xe2\x80\xa2\t\t A review of agency compliance with the Section 522 of the Appropriations Act of 2005;\n   \xe2\x80\xa2\t\t An analysis of the extent to which the Privacy Report filed with the EAC Inspector\n       General (IG) is accurate, accounts for the EAC\xe2\x80\x99s current technologies, information\n       processing, and whether all areas are consistent with the section 522 of the\n       Appropriations Act 2005;\n   \xe2\x80\xa2\t\t A follow-up review of findings identified in any previous EAC OIG reports; and\n\nGiven that the overall privacy control environment of the EAC is based on the Privacy           Act,\nincremental compliance directives from OMB, and internal policies and procedures,                the\ncontractor should consider, and include where appropriate, assessment of OMB privacy            and\nsecurity memorandums as well as EAC policies and procedures in determining compliance           with\nSection 522.\n\nThe E-Government Act of 2002 requires agencies to conduct a PIA either (1) before developing\nor procuring information technology systems or projects that collect, maintain or disseminate\ninformation in identifiable form or (2) when initiating a new electronic collection of information in\nidentifiable form for 10 or more persons (excluding agencies, instrumentalities or employees of\nthe federal government). In general, PIAs are required to be performed and updated as\nnecessary where a system change creates new privacy risks, for example, when converting\npaper-based records to electronic systems. On the other hand, no PIA is required where (1)\ninformation relates to internal government operations, (2) has been previously assessed under\nan evaluation similar to a PIA, or (3) where privacy issues are unchanged.\n\nTo accomplish the above-mentioned objectives, we:\n\n   \xe2\x80\xa2\t\t Verified that EAC had identified and maintained an inventory of information systems\n       containing PII and systems requiring PIAs and had conducted PIAs for electronic\n       information systems.\n   \xe2\x80\xa2\t\t Reviewed a sample of PIAs for the systems selected under review and noted the\n       following:\n       o\t What information was collected (e.g., nature and source).\n       o\t Why the information was collected (e.g., to determine eligibility).\n       o\t Intended use of the information (e.g., to verify existing data).\n       o\t With whom the information was shared (e.g., another agency for a specified\n            programmatic purpose).\n\n\n\n\n                                                 6\n\n\x0c         o\t What opportunities individuals had to decline to provide information or to consent to\n             particular uses of the information (other than required or authorized uses), and how\n             individuals communicated consent.\n         o\t How the information was secured from abusive use (e.g., administrative and\n             technological controls).\n     \xe2\x80\xa2\t\t Selected a representative sample of systems and tested technical controls to achieve\n         the PII protection objectives.\n     \xe2\x80\xa2\t\t Reviewed the nature and use of PII, to determine whether a SORN was required and if\n         required, whether one was published. We further reviewed EAC\xe2\x80\x99s publication of SORNs\n         in the Federal Register and verified that they contained only information about\n         individuals that was "relevant and necessary" to accomplish EAC\xe2\x80\x99s purpose. We verified\n         that this information was updated as necessary.\n\nFor the Fiscal Year 2008 Privacy Assessment, we were not engaged to and did not perform\nprocedures to determine if the inventory of systems containing PII data was exhaustive and if\nEAC had performed procedures to ensure all EAC IT systems had been reviewed for existence\nof PII information.\n\nDETAILED RESULTS OF REVIEW\n\n1.      EAC is not fully compliant with several Privacy Act Requirements, including:\n\n        \xe2\x80\xa2\t\t   A Chief Privacy Officer with the responsibility for monitoring and enforcing privacy\n              related policies and procedures has not been designated.\n        \xe2\x80\xa2\t\t   EAC has not identified systems housing personally identifiable information or\n              conducted related PIA\xe2\x80\x99s.\n        \xe2\x80\xa2\t\t   EAC has not developed formal policies that address the information protection\n              needs associated with PII that is accessed remotely or physically removed.\n\n        We reviewed EAC\'s compliance with privacy protection of PII and determined that EAC\n        has temporarily assigned Privacy Officer duties to the Human Resource Specialist.\n\n        We noted the 2008 FISMA Review performed for the GSA does not specify which\n        systems were covered by this review. The FISMA template lists GSA systems by region\n        and bureau [rather than by the system name] making it difficult to determine if EAC\n        supported systems were part of this review. EAC does not have an inventory of systems\n        covered by the FISMA evaluation and in which bureau or region these systems are\n        located, or performed a PIA on systems identified as containing EAC PII.\n\n        OMB M-06-16 states that: Verify information categorization to ensure identification of\n        personally identifiable information requiring protection when accessed remotely or\n        physically removed. The purpose is to review the Federal Information Processing\n        Standards (FIPS) Publication No. 199 security categorization of organizational\n        information with the focus on remote access and physical removal. The intent is to\n        ensure all personally identifiable information through which a moderate or high impact\n        might result has been explicitly identified. For example, databases where the loss,\n        corruption, or unauthorized access to personally identifiable information contained in the\n        databases could result in a serious adverse effect, with widespread impact on individual\n        privacy being one area of specific concern.\n\n\n\n\n                                                 7\n\n\x0cNIST Special Publication 800-53 Rev 2 (PL-5) states: \xe2\x80\x98The organization conducts a\nprivacy impact assessment on the information system in accordance with OMB policy\xe2\x80\x99.\n\nOMB Circular M-06-16 \xe2\x80\x98Protection of Sensitive Agency Information\xe2\x80\x99 requires agencies to\nimplement organizational policy that addresses the information protection needs\nassociated with personally identifiable information that is accessed remotely or\nphysically removed\xe2\x80\x99.\n\nWe reviewed the critical elements required of government agencies and organizations in\n2007 and noted EAC \xe2\x80\x98s level of compliance. The following questions were extracted from\nthe Data Collection Instrument issued by the President\xe2\x80\x99s Council on Integrity and\nEfficiency (PCIE). For purposes of this assessment, we extracted high-level questions\nonly. Our results are documented in the following table.\n\n\n                               Yes, No,\n                                Partial,\n                                  Not\n   Ref      Control Step      Applicable           Clifton Gunderson Comments\n Step 1   Has EAC             Partial        Although EAC has not received an\n          confirmed                          inventory of all systems used by GSA to\n          identification of                  support EAC\xe2\x80\x99s activities, EAC has identified\n          personally                         the need to protect all portable computers\n          identifiable                       accessing EAC data. To achieve this goal,\n          information                        management has affirmed that EAC has\n          protection                         procured \xe2\x80\x9cCredant\xe2\x80\x9d encryption software. We\n          needs? If so to                    noted during the period of our audit that\n          what level?                        about 70% percent of all EAC computers\n                                             have been encrypted with the Credent\n                                             Encryption software. We randomly selected\n                                             five (5) laptops to determine if they are\n                                             indeed encrypted and noted no exception.\n\n                                             EAC has identified that Pegasys and\n                                             Comprehensive         Human        Resources\n                                             Integrated System (CHRIS) are the GSA\n                                             owned systems that contain EAC\xe2\x80\x99s\n                                             personally identifiable information.\n Step 2   Has EAC verified    Partial        Administrative      policies   have     been\n          the adequacy of                    developed addressing employee conduct\n          organizational                     and hiring procedures. However, EAC has\n          policy? If so, to                  not identified security policies and\n          what level?                        procedures.\n Step 3   Has EAC             Partial        See Step 1 above. EAC has procured\n          implemented                        encryption software to protect information\n          protections for                    being transported and/or stored off-site; We\n          personally                         noted during the period of our audit that\n          identifiable                       about 70% percent of all EAC computers\n          information being                  have been encrypted with the Credent\n          transported                        Encryption software. We randomly selected\n          and/or stored                      five (5) laptops to determine if they are\n\n\n                                        8\n\n\x0c         offsite? If so, to                  encrypted and noted no exception.\n         what level.\n                                             We noted that EAC issued blackberries are\n                                             not currently encrypted with the Credent\n                                             encryption software.\nStep 4   Has EAC              Partial        The IG\xe2\x80\x99s office has signed the GSA\xe2\x80\x99s Rules\n         implemented                         of Behavior policy establishing acceptable\n         protections for                     use of government information resources\n         remote access to                    including downloading software, improper\n         personally                          web access, etc. EAC\xe2\x80\x99s rules of behavior\n         identifiable                        are currently incorporated into the EAC\n         information? If so                  Security Awareness and Privacy Training\n         to what level.                      programs.\n\n                                             EAC has not conducted a risk assessment\n                                             that address the risk associated with\n                                             download, remote access, or other removal\n                                             or PII from each system containing PII.\n\n                                             Virtual Private Network (VPN) use has been\n                                             granted to a selected few individuals. We\n                                             selected a sample of five (5) VPN users to\n                                             determine      if   their   accesses     are\n                                             appropriately authorized without exception.\n\n                                             EAC does not have Plan of Actions and\n                                             Milestones (POA & M) for developing and\n                                             implementing protection of sensitive\n                                             information.\nSect     Has the Agency       Partial        We noted during the period of our audit that\n2.1      encrypted all                       about 70% percent of all EAC computers\n         data on mobile                      have been encrypted with the Credent\n         computers/devic                     Encryption software. We randomly selected\n         es which carry                      five (5) laptops to determine if they are\n         agency data                         encrypted and noted no exception.\n         unless the data\n         determined to be                    We noted that EAC issued blackberries or\n         non-sensitive, in                   portable memory sticks are not currently\n         writing by                          encrypted with the Credent encryption\n         Agency Deputy                       software.\n         Secretary or an\n         individual he/she\n         may designate in\n         writing?\nSect     Does the agency      No             We were not provided evidence of major\n2.2      use remote                          steps and milestones directed to implement\n         access with two-                    two-factor authentication.\n         factor\n         authentication\n         where one of the\n         factors is\n\n\n                                        9\n\n\x0c          provided by a\n          device separate\n          from the\n          computer gaining\n          access?\n Sect     Does the Agency     Partial         Although EAC has implemented a \xe2\x80\x9ctime\xc2\xad\n 2.3      use a \xe2\x80\x9ctime-out\xe2\x80\x9d                    out\xe2\x80\x9d function for EAC desktops, laptops and\n          function for                        VPN      access      requiring   user     re-\n          remote access                       authentication after 30 minutes of inactivity,\n          and mobile                          formalized EAC policies and procedures\n          devices requiring                   requiring this configuration have not been\n          user re-                            developed to date.\n          authentication\n          after 30 minutes\n          of inactivity?\n Sect     Does the Agency     No              EAC does not own or operate any\n 2.4      log all computer-                   information systems that hold sensitive\n          readable data       Not             information. All identified systems, Pegasys,\n          extracts from       Applicable      FMIS and CHRIS are owned and managed\n          databases                           by GSA.\n          holding sensitive\n          information and                     EAC on the other hand, has not defined\n          verifies each                       which systems have to be logged and the\n          extract including                   nature of activity to be logged and reported\n          sensitive data                      by its service provider.\n          has been erased\n          within 90 days or\n          its use is still\n          required?\n STEP     Has the Agency      Partial         EAC has not documented procedures to\n 5        implemented                         follow when responding to a breach of PII.\n          provisions of                       However, EAC follows GSA policies on the\n          OMB M07-16 of                       reporting of PII breaches within the first\n          May 22, 2007,                       hour of occurrence. EAC is also required to\n          "Safeguarding                       fill out the GSA incident report to describe\n          Against and                         the event and any other details.\n          Responding to\n          the Breach of\n          PII"\n\nRecommendations\n\nWe recommend EAC management:\n\n1)\t Designate a Chief Privacy Officer or formally appoint an individual with the\n    responsibility of monitoring and enforcing privacy related policies and procedures.\n    Privacy responsibilities should be added to the position description (PD) of this\n    assigned individual.\n\n2)\t Develop an understanding of which EAC systems are covered by GSA\'s FISMA\n    review rotation plan. Consequently, EAC should request from the service provider\n\n\n                                        10\n\n\x0c   their systems review rotation schedule and note which systems are covered in each\n   year\'s rotation. For fiscal years where EAC systems are not covered GSA should\n   grant EAC access to review these systems to comply with FISMA requirements.\n\n3) Develop and implement formal policies that address the information protection needs\n   associated with PII to include:\n   a) references to applicable information technology security policies and procedures\n   b) EAC specific procedures for responding to breaches of PII\n   c) identification of which PII systems are to be logged and the nature of activity to\n      be logged and reported by the respective service provider(s)\n   d) requirements to utilize a time out function for remote access and mobile devices\n      requiring user re-authentication after 30 minutes of inactivity.\n\n4)\t Complete the encryption of blackberry devices and laptops with Credent Encryption\n    software as well as implement two-factor authentication.\n\n5)\t Develop and maintain a plan of actions and milestones (POA&M) to address\n    weaknesses identified in developing and implementing protections of PII.\n\n6)\t Conduct a risk assessment which addresses the risks associated with the download,\n    remote access, or other removal of PII from each system containing PII.\n\nManagement\xe2\x80\x99s Response:\n\n1)\t The Human Resources Director will be assigned as the Chief Privacy Officer and will\n    modify the PD to include the necessary functions. In addition she will be taking\n    necessary training towards certification. This will be effective March 16, 2009. Alice\n    Miller, the COO will be responsible for implementation.\n\n2)\t EAC has an inventory of GSA systems that we use. These GSA systems are\n    covered by GSA\xe2\x80\x99s FISMA review. With this, EAC has an understanding for the\n    rotation schedule for these systems. GSA provides EAC with the required documents\n    for FISMA compliance. EAC will request the documentation for these systems to\n    include the POA&M to identify what vulnerabilities these systems have and what\n    GSA is doing to remediate them in the off-years. The request will be completed by\n    March 16 and will be the responsibility of the IT Specialist.\n\n3)\t EAC has begun to evaluate the necessary steps to implement formal policies and\n    procedures that address the information protection needs and have concluded that it\n    will be necessary to procure outside help to fully implement the recommendation.\n    Once the Continuing Resolution is lifted and budgetary resources are identified, EAC\n    will consider releasing an RFP for the services. Anticipated date for release is within\n    45 days of the removal of the CR and approval of a budget. The Contracting Officer\n    and IT Specialist will be responsible for this task. In addition, EAC has taken some\n    steps to implement the recommendations. For instance there is currently a 30 minute\n    time out function for both RAS and VPN remote connections. Also, there is a\n    maximum 15 minute time out function on all Blackberry mobile devices.\n\n4)\t With the assistance of GSA, EAC has encrypted all Blackberry devices. The Credent\n\n\n\n\n                                        11\n\n\x0c   encryption software has been installed on all laptops. The EAC has begun the\n   process of identifying appropriate software to encrypt thumb drives which will be\n   encrypted prior to distribution to staff.\n\n5)\t EAC is in the process of drafting a formal plan of actions and milestones to address\n    weaknesses identified in the developing and implementing the protections of PII.\n    Estimated date of the first release is June 30, 2009. Responsible party is Diana\n    Scott, Director of Administration.\n\n6)\t EAC intends to conduct a risk assessment which addresses the risks associated with\n    the download, remote access or other removal of PII from each system containing\n    PII. Once the Continuing Resolution is lifted and budgetary resources are identified,\n    EAC will consider releasing an RFP for the services. Anticipated date for release is\n    within 45 days of the removal of the CR and approval of a budget. The Contracting\n    Officer, Chief Privacy Officer and IT Specialist will be responsible for this task.\n\n\n\n\n                                       12\n\n\x0c                                                                 APPENDIX\n\n\n\n                           U. S. ELECTION ASSISTANCE COMMISSION \n\n                               OFFICE OF THE EXECUTIVE DIRECTOR\n\n\n                                1225 New York Avenue, NW, Suite 1100 \n\n                                       Washington, DC. 20005 \n\n\n\n\n\nFebruary 20, 2009 \n\n\n\nMEMORANDUM \n\n\nTO:            Curtis Crider, Inspector General\n\nFROM:          Thomas R. Wilkey, Executive Director\n\nRE:            Responses to Draft Audit Report - Review of U.S. Election Assistance\n               Commission\xe2\x80\x99s Compliance with Section 522 of the Consolidated\n               Appropriations Act, 2005 (Assignment No. 1-EV-EAC 02-08)\n\n\nRecommendation #1\n\nDesignate a Chief Privacy Officer or formally appoint an individual with the\nresponsibility of monitoring and enforcing privacy related policies and procedures.\nPrivacy responsibilities should be added to the position description (PD) of this assigned\nindividual.\n\nResponse # 1\n\nThe Human Resources Director will be assigned as the Chief Privacy Officer and will\nmodify the PD to include the necessary functions. In addition she will be taking\nnecessary training towards certification. This will be effective March 16, 2009. Alice\nMiller, the COO will be responsible for implementation.\n\n\nRecommendation #2\n\nDevelop an understanding of which EAC systems are covered by GSA\xe2\x80\x99s FISMA review\nrotation plan. Consequently, EAC should request from the service provider their systems\nreview rotation schedule and note which systems are covered in each year\xe2\x80\x99s rotation. For\nfiscal years where EAC systems are not covered, GSA should grant EAC access to\nreview these systems to comply with FISMA requirements.\n\n\n\n\n                                            13\n\x0c                                                                       APPENDIX\n\n\n\nResponse #2\n\nEAC has an inventory of GSA systems that we use. These GSA systems are covered by\nGSA\xe2\x80\x99s FISMA review. With this, EAC has an understanding for the rotation schedule for\nthese systems. GSA provides EAC with the required documents for FISMA compliance.\nEAC will request the documentation for these systems to include the POA&M to identify\nwhat vulnerabilities these systems have and what GSA is doing to remediate them in the\noff-years. The request will be completed by March 16 and will be the responsibility of\nthe IT Specialist.\n\n\nRecommendation #3\n\nDevelop and implement formal policies that address the information protection needs \n\nassociated with PII to include: \n\na) references to applicable information technology security policies and procedures, \n\nb) EAC specific procedures for responding to breaches of PII, \n\nc) identification of which PII systems are to be logged and the nature of activity to be \n\n   logged and reported by the respective service provider(s).\nd) requirements to utilize a time out function for remote access and mobile devices\n   requiring user re-authentication after 30 minutes of inactivity.\n\nResponse #3\n\nEAC has begun to evaluate the necessary steps to implement formal policies and\nprocedures that address the information protection needs and have concluded that it will\nbe necessary to procure outside help to fully implement the recommendation. Once the\nContinuing Resolution is lifted and budgetary resources are identified, EAC will consider\nreleasing an RFP for the services. Anticipated date for release is within 45 days of the\nremoval of the CR and approval of a budget. The Contracting Officer and IT Specialist\nwill be responsible for this task. In addition, EAC has taken some steps to implement the\nrecommendations. For instance there is currently a 30 minute time out function for both\nRAS and VPN remote connections. Also, there is a maximum 15 minute time out\nfunction on all Blackberry mobile devices.\n\n\nRecommendation #4\n\nComplete the encryption of blackberry devices and laptops with Credent Encryption\nsoftware as well as implement two factor authentication\n\nResponse #4\n\nWith the assistance of GSA, EAC has encrypted all Blackberry devices. The Credent\nencryption software has been installed on all laptops. The EAC has begun the process of\n\n\n\n\n                                              14\n\x0c                                                                APPENDIX\n\n\nidentifying appropriate software to encrypt thumb drives which will be encrypted prior to\ndistribution to staff.\n\n\nRecommendation #5\n\nDevelop and maintain a plan of actions and milestones (POA&M) to address weaknesses\nidentified in developing and implementing protections of PII.\n\nResponse #5\n\nEAC is in the process of drafting a formal plan of actions and milestones to address\nweaknesses identified in the developing and implementing the protections of PII.\nEstimated date of the first release is June 30, 2009. Responsible party is Diana Scott,\nDirector of Administration.\n\n\nRecommendation #6\n\nConduct a risk assessment which addresses the risk associated with the download, remote\naccess, or other removal of PII from each system containing PII.\n\nResponse #6\n\nEAC intends to conduct a risk assessment which addresses the risks associated with the\ndownload, remote access or other removal of PII from each system containing PII. Once\nthe Continuing Resolution is lifted and budgetary resources are identified, EAC will\nconsider releasing an RFP for the services. Anticipated date for release is within 45 days\nof the removal of the CR and approval of a budget. The Contracting Officer, Chief\nPrivacy Officer and IT Specialist will be responsible for this task.\n\n\nccs:   Chair Beach\n       Commissioners Hillman, Davidson, Rodriguez\n       Alice Miller, Chief Operating Officer\n       Diana Scott, Director of Administration\n\n\n\n\n                                              15\n\x0c                      The OIG audit mission is to provide timely, high-quality\n                      professional products and services that are useful to OIG\xe2\x80\x99s clients.\n                      OIG seeks to provide value through its work, which is designed to\n                      enhance the economy, efficiency, and effectiveness in EAC\nOIG\xe2\x80\x99s Mission         operations so they work better and cost less in the context of\n                      today\'s declining resources. OIG also seeks to detect and prevent\n                      fraud, waste, abuse, and mismanagement in these programs and\n                      operations. Products and services include traditional financial and\n                      performance audits, contract and grant audits, information systems\n                      audits, and evaluations.\n\n\n                      Copies of OIG reports can be requested by e-mail.\n                      (eacoig@eac.gov).\n\n                      Mail orders should be sent to:\nObtaining\nCopies of             U.S. Election Assistance Commission\n                      Office of Inspector General\nOIG Reports\n                      1225 New York Ave. NW - Suite 1100\n                      Washington, DC 20005\n                      To order by phone: Voice: (202) 566-3100\n                                          Fax: (202) 566-0957\n\n\nTo Report Fraud,      By Mail: \tU.S. Election Assistance Commission\nWaste and Abuse                 Office of Inspector General\nInvolving the U.S.              1225 New York Ave. NW - Suite 1100\nElection Assistance             Washington, DC 20005\nCommission or Help\n                      E-mail:   eacoig@eac.gov\nAmerica Vote Act\nFunds                 OIG Hotline: 866-552-0004 (toll free)\n\n                      FAX: 202-566-0957\n\x0c'